b'  DEPARTMENT OF HOMELAND SECURITY\n\n      Office of Inspector General\n\n\n\n     Review of DHS Security Controls for \n\n          Portable Storage Devices \n\n\n\n\n\nOIG-08-95                     September 2008\n\x0c                                                            Office of Inspector General\n\n                                                            U.S. Department of Homeland Security\n                                                            Washington, DC 20528\n\n\n\n\n                                     September 26, 2008\n\n                                         Preface\n\nThe Department of Homeland Security, Office of Inspector General, was established by\nthe Homeland Security Act of 2002 (Public Law 107-296) by amendment to the Inspector\nGeneral Act of 1978. This is one of a series of audit, inspection, and special reports\nprepared as part of our oversight responsibilities to promote economy, efficiency, and\neffectiveness within the department.\n\nThe report identifies measures that can be taken by the Department of Homeland Security\nto minimize the risk of theft, mishandling of the department\xe2\x80\x99s sensitive information, or\nunauthorized use of portable storage devices. It is based on interviews with employees\nand officials of relevant agencies and institutions, direct observations, discovery scans,\nand a review of applicable documents.\n\nThe recommendations herein have been developed to the best knowledge available to our\noffice, and have been discussed in draft with those responsible for implementation. It is\nour hope that this report will result in more effective, efficient, and economical\noperations. We express our appreciation to all of those who contributed to the\npreparation of this report.\n\n\n\n\n                                     Richard L. Skinner \n\n                                     Inspector General \n\n\x0cTable of Contents/Abbreviations \n\nExecutive Summary .............................................................................................................1\n\n\nBackground ..........................................................................................................................2 \n\n\nResults of Audit ...................................................................................................................4 \n\n  Unauthorized Devices Have Been Connected to DHS Systems.....................................4 \n\n  Recommendations...........................................................................................................5 \n\n  Management Comments and OIG Analysis ...................................................................5 \n\n\n    Security Policies Should Be Implemented......................................................................6 \n\n    Recommendation ............................................................................................................8 \n\n    Management Comments and OIG Analysis ...................................................................8 \n\n\n    Implementation of OMB-Required Controls Can Minimize Risk..................................9 \n\n    Recommendation ..........................................................................................................10\n\n    Management Comments and OIG Analysis .................................................................10 \n\n\nAppendices\n   Appendix A: Purpose, Scope, and Methodology..........................................................11 \n\n   Appendix B: Management Comments to the Draft Report .........................................12 \n\n   Appendix C: Major Contributors to this Report ..........................................................17 \n\n   Appendix D: Report Distribution.................................................................................18 \n\n\nAbbreviations\n     CBP                 Customs and Border Protection \n\n     CIS                 Citizenship and Immigration Services \n\n     DHS                 Department of Homeland Security \n\n     FEMA                Federal Emergency Management Agency \n\n     FIPS                Federal Information Processing Standards \n\n     FLETC               Federal Law Enforcement Training Center \n\n     I&A                 Intelligence and Analysis         \n\n     ICE                 Immigration and Customs Enforcement \n\n     NPPD                National Protection and Programs Directorate \n\n     OMB                 Office of Management and Budget \n\n     S&T                 Science and Technology          \n\n     TSA                 Transportation Security Administration         \n\n     USB                 Universal Serial Bus \n\n     USCG                United States Coast Guard \n\n     USSS                United States Secret Service\n\n\n\n\n\n                             Review of DHS Security Controls for Portable Storage Devices\n\x0cOIG \n\nDepartment of Homeland Security\nOffice of Inspector General\n\nExecutive Summary\n                 We evaluated the use of portable storage devices at the Department\n                 of Homeland Security (DHS). Our objective was to determine\n                 whether DHS has addressed the emerging security threat from the\n                 proliferation of portable storage devices. We also followed-up on\n                 the actions DHS has taken in response to Office of Management\n                 and Budget (OMB) Memorandum 06-16 (M-06-16), Protection of\n                 Sensitive Agency Information. The proliferation and uncontrolled\n                 use of portable storage devices (e.g., flash drives, external hard\n                 drives, and portable music players) increases the risk of theft and\n                 mishandling of sensitive information when users insert their\n                 personal or unauthorized devices into their agencies\xe2\x80\x99 computers\xe2\x80\x99\n                 Universal Serial Bus (USB) or FireWire ports.\n\n                 DHS has taken actions to address the threat of the unauthorized\n                 access to its sensitive information from the proliferation of\n                 portable storage devices. For example, DHS has established\n                 policies on the acceptable use of portable storage devices. In\n                 addition, DHS is evaluating a technical solution that will encrypt\n                 information stored on all recordable media.\n\n                 We determined, however, that the policies developed have not\n                 been implemented by the components. Specifically, components\n                 do not have a centralized process to procure and distribute portable\n                 storage devices to ensure that only authorized devices that meet the\n                 technical requirements can connect to its systems. In addition,\n                 most components have not identified and do not maintain an\n                 inventory of authorized devices. Further, the devices sampled\n                 were not properly marked to protect the information stored on\n                 these devices from mishandling. Finally, DHS has not\n                 implemented all M-06-16 controls, despite the fact that it has been\n                 two years since OMB\xe2\x80\x99s milestone has elapsed.\n\n                 We recommend that components identify and establish an\n                 inventory of authorized devices; implement controls to ensure that\n                 only authorized devices can connect to DHS systems; and perform\n                 discovery scans, at least annually, to identify unauthorized devices.\n                 Finally, DHS should devote additional resources to implement\n                 OMB M-06-16 controls expeditiously. The department\xe2\x80\x99s response\n\n              Review of DHS Security Controls for Portable Storage Devices \n\n\n                                         Page 1 \n\n\x0c                is summarized and evaluated in the body of this report and\n                included, in its entirety, as Appendix B.\n\nBackground\n                The proliferation and uncontrolled use of portable storage devices\n                increase the risk of theft and mishandling of sensitive information.\n                This condition is most prevalent when users insert their personal or\n                unauthorized devices into a computer\xe2\x80\x99s USB or FireWire ports.\n                Examples of portable storage devices include flash drives, pen\n                drives, external hard drives, and portable music and video players,\n                such as iPods that can also be used to store data. These portable\n                devices are small enough to fit into a shirt pocket, relatively\n                inexpensive, and can be used to store a large amount of data. The\n                features that make these devices popular can also introduce new\n                security risks and amplify risks that already existed with floppy\n                disks. Shown below are examples of various portable storage\n                devices:\n\n                           Portable Storage Devices\n\n\n\n\n                The risks of theft and mishandling of sensitive data stored on\n                portable storage devices became more apparent when several\n                incidents were reported in 2006. For example, local police in New\n                Mexico seized three USB flash drives that contained classified\n                government information from the Los Alamos National Laboratory\n                at a contract employee\xe2\x80\x99s home. Additionally, stolen U.S. military\n                flash drives that contained records about military operations and\n\n             Review of DHS Security Controls for Portable Storage Devices \n\n\n                                        Page 2 \n\n\x0c                           individual soldiers were found being sold at a street market in\n                           Afghanistan.\n\n                           In response to the above and a series of other incidents involving\n                           the compromise or loss of sensitive personal information, OMB\n                           issued M-06-16, Protection of Sensitive Agency Information. This\n                           memorandum recommends measures to compensate for the lack of\n                           physical security controls when sensitive information is removed\n                           or accessed from outside the agency location. Agencies were\n                           required to implement the following measures by August 7, 2006:\n\n                                    \xe2\x80\xa2\t Encrypt sensitive data stored on laptop computers and\n                                       mobile computing devices\n                                    \xe2\x80\xa2\t Establish two-factor authentication for remote access\n                                       connections\n                                    \xe2\x80\xa2\t Enable the timeout feature for remote access after 30\n                                       minutes of inactivity\n                                    \xe2\x80\xa2\t Log all data extracts from databases holding sensitive\n                                       information, and ensure that copies of extracts made by\n                                       users or administrators are erased within 90 days if they\n                                       are no longer needed.\n\n                           Fieldwork was performed at Citizenship and Immigration Services\n                           (CIS), Customs and Border Protection (CBP), Federal Emergency\n                           and Management Agency (FEMA), Federal Law Enforcement\n                           Training Center (FLETC), Immigration and Customs Enforcement\n                           (ICE), Intelligence and Analysis (I&A), Management Directorate\n                           (Management), National Protection and Programs Directorate\n                           (NPPD), Science and Technology (S&T), Transportation Security\n                           Administration (TSA), United States Coast Guard (USCG), and\n                           United States Secret Service (USSS). We performed discovery\n                           scans, using USBDetect software,1 to identify whether\n                           unauthorized devices had been connected to DHS\xe2\x80\x99 unclassified\n                           systems at 11 components and five international airports located in\n                           California, Florida, Maryland, and Virginia.2 In addition, we\n                           performed scans on selected classified systems at FEMA, I&A,\n                           and S&T.\n\n\n\n\n1\n  USBDetect is a software tool that was developed by the National Security Agency. The tool gathers data\nfrom the registry on Microsoft Windows machines and reports whether storage devices, such as portable\nmusic and video players, external hard drives, flash drives, jump drives, and thumb drives, etc., have been\nconnected to the USB ports.\n2\n  We only evaluated the use of portable storage devices on selected classified systems at I&A.\n\n                        Review of DHS Security Controls for Portable Storage Devices \n\n\n                                                   Page 3 \n\n\x0cResults of Audit\n     Unauthorized Devices Have Been Connected to DHS Systems\n                 DHS has implemented an effective process to ensure that only\n                 authorized devices are connected to its classified systems.\n                 Specifically, system administrators have disabled the USB ports to\n                 restrict portable storage devices from connecting to DHS\xe2\x80\x99\n                 classified systems. However, DHS has not implemented effective\n                 controls to restrict unauthorized devices from being connected to\n                 DHS\xe2\x80\x99 unclassified systems.\n\n                 Based on our discovery scans, we identified instances where\n                 storage devices and portable music and video players were\n                 connected to selected unclassified servers and workstations at the\n                 11 component offices included in our testing. Though we could\n                 not determine when these devices were connected or whether any\n                 sensitive information had been copied to these devices, DHS\xe2\x80\x99\n                 controls did not restrict users from connecting unauthorized\n                 devices to the department\xe2\x80\x99s unclassified systems.\n\n                 The discovery of unauthorized devices being connected to DHS\xe2\x80\x99\n                 information systems is an indication that the controls implemented\n                 may not be effective in restricting DHS\xe2\x80\x99 sensitive data from\n                 authorized access or theft. Furthermore, while few components\n                 (CBP, Management, TSA, USCG, and USSS) performed discovery\n                 scans to determine whether unauthorized devices had been\n                 connected to their systems, there is no set schedule that outlines the\n                 frequency of the scans. Unless effective controls are implemented,\n                 increased risks exist for the potential mishandling or misuse of\n                 DHS\xe2\x80\x99 sensitive information stored on portable storage devices.\n\n                 According to DHS officials, the department recognized the threats\n                 from the proliferation and uncontrolled use of portable storage\n                 devices. DHS has recently begun to evaluate a new technical\n                 solution, which will automatically encrypt any recordable media\n                 (such as USB flash drives, external hard drives, portable music and\n                 video players, and CDs/DVDs) that have been inserted into DHS\n                 systems. Once the encryption is applied, users can only access\n                 sensitive information stored on these devices when they are\n                 connected to DHS systems. With the new technical solution, the\n                 officials indicated that there would be no need to maintain an\n                 inventory of authorized devices or ensure that the devices being\n\n              Review of DHS Security Controls for Portable Storage Devices \n\n\n                                         Page 4 \n\n\x0c       used meet certain technical specifications. Furthermore, the\n       officials said that deploying the new technical solution would be a\n       cheaper alternative than purchasing portable storage devices with a\n       biometric encryption feature.\n\n       DHS does not have a timeline in implementing the new solution.\n       According to the officials, DHS plans to deploy the new solution\n       department-wide once its technical evaluation is completed and the\n       results are satisfactory. We believe that once the new technical\n       solution is implemented, it can minimize the threats of the\n       potential mishandling or misuse of DHS\xe2\x80\x99 sensitive information.\n\nRecommendations\nWe recommend that the Chief Information Officer direct the components\xe2\x80\x99\nChief Information Officers to:\n\nRecommendation #1: Establish a process to ensure that only authorized\nportable storage devices can connect to DHS systems. In addition,\nawareness training should be provided to users to educate them on the\nrisks associated with the use of portable storage devices.\n\nRecommendation #2: Implement stringent technical controls to ensure\nthat unauthorized devices are not connected to DHS systems. Discovery\nscans should be performed, at least annually, to identify unauthorized\ndevices.\n\nManagement Comments and OIG Analysis\n       DHS concurred with recommendation 1. DHS acknowledged the\n       deficiency in its current hardware and network settings that may\n       allow users to connect non-approved devices to DHS equipment\n       and networks. Additionally, DHS restated its current policy that\n       employees and contractors are prohibited from using any\n       non-government issued removable media (e.g., USB flash drives)\n       or connecting them to DHS equipment and networks or to store\n       DHS sensitive information. All DHS-issued USB flash drives\n       must be FIPS 197 compliant and have received FIPS 140-2\n       validation to protect the information stored on these devices. In\n       addition, DHS plans to implement a technical solution with\n       Windows Vista and Windows Server 2008. Finally, DHS stated\n       that its users are already being educated on the risks associated\n       with the use of portable storage devices, as part of the current\n       security awareness training.\n\n\n    Review of DHS Security Controls for Portable Storage Devices\n\n                              Page 5\n\x0c            We agree that the steps DHS plans to take satisfy this\n            recommendation. DHS did not provide an estimated timeframe to\n            deploy Windows Vista and Windows Server 2008. DHS\xe2\x80\x99 sensitive\n            data continues to be at risk until the department implements an\n            effective process to ensure that only authorized portable storage\n            devices can connect to its systems. Specifically, the results of\n            discovery scans revealed that relying on policy alone does not\n            restrict or deter users from connecting their personal music and\n            video players (e.g., iPod) to DHS systems. While connecting an\n            iPod to a DHS system is a violation of existing DHS policy, it is\n            confirmation that a deficiency exists in the department\xe2\x80\x99s current\n            hardware and network settings which allows users to connect\n            non-approved devices to DHS equipment and networks. It may\n            also be an indicator that the current security awareness training\n            may not be effective in educating users on the risks associated with\n            the use of portable storage devices.\n\n            DHS concurred with recommendation 2. DHS agreed that the use\n            of portable storage devices (e.g., USB flash drives) should be\n            controlled. Currently, DHS restricts the use of portable storage\n            devices through policy, security awareness training, and disabling\n            USB ports on workstations. DHS indicated that more stringent\n            controls are available through Windows Vista and through Group\n            Policy Objects in Microsoft Server 2008. Specifically, a\n            deployment of Vista and Server 2008 has the capability to restrict\n            USB device installation by Device ID and Device Class. The\n            Device ID matches the exact make, model, and revision of the\n            device, such as a particular USB drive model and manufacturer.\n            Finally, DHS agreed that discovery scans should be performed\n            annually to detect unauthorized devices.\n\n            We agree that the steps DHS plans to take satisfy this\n            recommendation. DHS should deploy an interim solution to\n            restrict the unauthorized use of portable storage devices until\n            Windows Vista and Windows Server 2008 are implemented.\n            During our review, we determined that USB ports were only\n            disabled on some classified workstations.\n\nSecurity Policies Should Be Implemented\n            DHS has developed policies to mitigate the risks associated with\n            the use of portable storage devices on both classified and\n            unclassified systems. For example, DHS requires that information\n            stored on portable storage devices be encrypted in accordance with\n\n\n         Review of DHS Security Controls for Portable Storage Devices \n\n\n                                    Page 6 \n\n\x0c                           FIPS 140-2 standards.3 In addition, DHS prohibits the use of\n                           personal devices on DHS systems. Furthermore, DHS requires\n                           that all recordable media, including authorized portable storage\n                           devices, must be properly marked indicating the data\xe2\x80\x99s\n                           classification, such as \xe2\x80\x9cFor Official Use Only (FOUO),\xe2\x80\x9d \xe2\x80\x9cSecret,\xe2\x80\x9d\n                           or \xe2\x80\x9cTop Secret,\xe2\x80\x9d etc.\n\n                           Several major components (CBP, FLETC, ICE, NPPD, TSA, and\n                           USCG) have developed policies, which are aligned with DHS\xe2\x80\x99\n                           guidance regarding the use of portable storage devices. However,\n                           neither DHS nor the components\xe2\x80\x99 policies have been implemented\n                           fully. Specifically, we identified:\n\n                                \xe2\x80\xa2\t Portable storage devices are authorized for use at 11 of the\n                                   12 components visited.4 However, none of these 11\n                                   components have established a centralized process to\n                                   procure and distribute these devices. A centralized process\n                                   is essential to ensure that only devices that meet DHS and\n                                   components\xe2\x80\x99 technical requirements are used to process\n                                   and store sensitive information.\n                                \xe2\x80\xa2\t FEMA and I&A prohibit the use of portable storage\n                                   devices on their classified systems.\n                                \xe2\x80\xa2\t CBP, CIS, FEMA, FLETC, ICE, Management, NPPD,\n                                   S&T, and USCG did not maintain inventories of authorized\n                                   devices. CBP, CIS, ICE, and NPPD indicated that an\n                                   inventory was not maintained because the monetary value\n                                   for these portable devices was below the threshold. When\n                                   an inventory is not maintained, DHS and its components\n                                   cannot track the use of these devices or ensure that only\n                                   authorized devices are connected to their networks.\n                                \xe2\x80\xa2\t CIS, FEMA, FLETC, ICE, Management, NPPD, S&T,\n                                   USCG, and USSS did not apply \xe2\x80\x9cmarking\xe2\x80\x9d on the devices\n                                   sampled to protect sensitive information stored on these\n                                   devices from being mishandled. Applying proper marking\n                                   can minimize the risks associated with the accidental\n                                   disclosure of sensitive data stored on portable storage\n                                   devices.\n\n3\n  This standard is applicable to all Federal agencies that use cryptographic-based security systems to protect\nsensitive information in computer and telecommunications systems. FIPS 140-2, Security Requirements\nFor Cryptographic Modules, dated May 25, 2001.\n4\n  We did not evaluate the use of portable storage devices on I&A\xe2\x80\x99s unclassified systems. We only\nevaluated the use of these devices on classified systems located in an I&A sensitive compartmented\ninformation facility.\n\n                        Review of DHS Security Controls for Portable Storage Devices \n\n\n                                                   Page 7 \n\n\x0c       The implementation of specific policies is essential to ensure that\n       sensitive information stored on portable storage devices is\n       protected from unauthorized use, theft, or mishandling. To protect\n       against threats involving potential misuse, it is imperative that\n       DHS and its components establish a centralized process to procure\n       and distribute portable storage devices, maintain an inventory of\n       authorized devices, and apply proper marking to protect\n       information stored on these devices from unauthorized disclosure.\n\nRecommendation\nWe recommend that the Chief Information Officer direct the components\xe2\x80\x99\nChief Information Officers to:\n\nRecommendation #3: Identify the manufacturers and models of\nauthorized devices. Ensure that an inventory, which contains the names of\nmanufacturers and serial numbers of devices, is maintained. The devices\nshould be marked to indicate the data classification to protect sensitive\ninformation stored from unauthorized disclosure or mishandling.\n\nManagement Comments and OIG Analysis\n       DHS concurred with recommendation 3. DHS stated that an\n       inventory of authorized portable storage devices can be established\n       under the Windows Vista and Windows Server 2008 environment,\n       as the Device ID for all authorized USB devices can be identified.\n       However, this capability does not include the identification of\n       serial numbers for USB devices. As this solution is not available\n       until DHS is operating in a Vista and Server 2008 environment,\n       DHS has identified standards for USB flash drives, which requires\n       these devices be FIPS 140-2 and FIPS 197 compliant. Finally,\n       DHS restated its policy requirement to have appropriate markings\n       on storage media.\n\n       We agree that the steps DHS plans to take satisfy this\n       recommendation. However, DHS does not plan to establish an\n       inventory of its authorized portable storage devices until Windows\n       Vista and Windows Server 2008 are implemented. In addition,\n       DHS does not plan additional actions to enforce its current policy\n       to ensure these devices are properly marked to indicate the data\n       classification to protect sensitive information stored from\n       unauthorized disclosure or mishandling.\n\n\n\n    Review of DHS Security Controls for Portable Storage Devices \n\n\n                               Page 8 \n\n\x0c        Implementation of OMB-Required Controls Can Minimize Risk\n                          In January 2007, we reported that DHS and its components were in\n                          the process of implementing OMB\xe2\x80\x99s recommended security\n                          controls for sensitive data and personally identifiable information\n                          (PII) as outlined in M-06-16.5 During this evaluation, we\n                          followed-up on the actions taken to implement these controls at 11\n                          components and determined that DHS has not completed the\n                          implementation of the required OMB controls to protect its\n                          sensitive data from unauthorized access.6\n\n                          The purpose of OMB M-06-16 was to compensate for the lack of\n                          physical security controls when sensitive information is removed\n                          or accessed from outside the agency location. The implementation\n                          of these controls can also minimize the risks of unauthorized\n                          access to the sensitive data stored on portable storage devices.\n\n                          Specifically, we identified:\n\n                                   \xe2\x80\xa2\t Ten of the 11 components have installed encryption\n                                      software to protect sensitive information stored on their\n                                      laptops\n                                   \xe2\x80\xa2\t Seven of the 11 components implemented the session\n                                      time-out function which requires users to\n                                      re-authenticate after 30 minutes of inactivity\n                                   \xe2\x80\xa2\t Only 5 of the 11 components have implemented\n                                      two-factor authentication7\n                                   \xe2\x80\xa2\t None of the 11 components tested implemented\n                                      effective controls or a reliable process to ensure that\n                                      data extracts are erased within 90 days or when no\n                                      longer needed.\n\n                          Despite some progress in implementing OMB-required controls,\n                          more attention and resources may be needed to ensure that\n                          sensitive data stored on laptops and mobile computing devices is\n                          protected from unauthorized access. Further, DHS officials need\n                          to develop milestones for implementing OMB M-06-16. Until\n\n5\n  DHS\xe2\x80\x99s\xe2\x80\x99 Implementation of Protective Measures for Personally Identifiable Information (OIG-07-24,\n\nJanuary 2007). \n\n6\n  We performed fieldwork at 12 components. However, the National Institute of Standards and Technology \n\nSpecial Publication 800-53, Recommended Security Controls for Federal Information Systems, controls\n\noutlined in OMB M-06-16 do not apply to I&A\xe2\x80\x99s classified systems. \n\n7\n  Two-factor authentication is a security process in which the user provides two means of identification, \n\none of which is typically a physical token, such as a card, and the other of which is typically something \n\nmemorized. \n\n\n                       Review of DHS Security Controls for Portable Storage Devices \n\n\n                                                  Page 9 \n\n\x0c       these controls have been implemented, there is an increased risk\n       that sensitive data may be compromised through the loss or theft of\n       laptop computers and mobile computing devices.\n\nRecommendation\nWe recommend that the Chief Information Officer direct the Chief\nInformation Security Officer to:\n\nRecommendation #4: Devote additional resources to ensure the controls\noutlined in OMB M-06-16 are implemented expeditiously.\n\n\nManagement Comments and OIG Analysis\n       DHS did not concur with recommendation 4. DHS did not agree\n       that the OIG should direct the Chief Information Officer on\n       allocating its resources. However, the Chief Information Officer\n       acknowledged that resources must be identified to implement these\n       controls. DHS indicated that implementation plans were being\n       developed based on risks and cost analysis.\n\n       We maintain our position that it has been two years since OMB\xe2\x80\x99s\n       mandated milestone has elapsed and that DHS should ensure\n       controls outlined in OMB M-06-16 are implemented expeditiously.\n\n       We would note as well that we are not directing anything regarding\n       the allocation of resources at DHS. Rather, we are recommending\n       that the Chief Information Officer direct the Chief Information\n       Security Officer to devote additional resources to implement OMB\n       required security controls. It is well within our responsibility,\n       when conducting audits, to identify areas where increased\n       resources are needed to resolve the deficiency.\n\n       Also, in a final comment, the Chief Information Officer expressed\n       concern that the title of the draft report, DHS Must Address the\n       Emerging Security Threat from the Proliferation of Portable\n       Storage Devices, predisposes readers to think that the department\n       has not taken any action in that regard. We agree and have revised\n       the title as requested.\n\n\n\n\n    Review of DHS Security Controls for Portable Storage Devices \n\n\n                              Page 10 \n\n\x0cAppendix A\nPurpose, Scope and Methodology\n\n\n                   Our objective was to determine whether DHS has addressed the\n                   emerging security threat from the proliferation of portable storage\n                   devices. We also followed-up on the actions DHS has taken in\n                   response to Office of Management and Budget (OMB)\n                   Memorandum 06-16 (M-06-16), Protection of Sensitive Agency\n                   Information.\n\n                   To accomplish our audit, we interviewed selected personnel at\n                   CBP, CIS, FEMA, FLETC, ICE, Management, NPPD, I&A, S&T,\n                   TSA, USCG, and USSS. In addition, we reviewed and evaluated\n                   DHS\xe2\x80\x99 and components\xe2\x80\x99 security policies and procedures regarding\n                   the use of portable storage devices. We performed discovery\n                   scans, using USBDetect software, to identify whether unauthorized\n                   devices had been connected to DHS\xe2\x80\x99 unclassified systems at 11\n                   components (CBP, CIS, FEMA, FLETC, ICE, Management,\n                   NPPD, S&T, TSA, USCG, and USSS) and five international\n                   airports located in California, Florida, Maryland, and Virginia. In\n                   addition, we performed scans on selected classified systems at\n                   FEMA, I&A, and S&T.\n\n                   We conducted our evaluation between February and May 2008,\n                   under the authority of the Inspector General Act of 1978, as\n                   amended, and according to the Quality Standards for Inspections\n                   issued by the President\xe2\x80\x99s Council on Integrity and Efficiency\n                   (PCIE). Major OIG contributors to the audit are identified in\n                   Appendix C.\n\n                   The principal OIG points of contact for the audit are Frank Deffer,\n                   Assistant Inspector General, Office of Information Technology at\n                   (202) 254-4100; and Edward G. Coleman, Director, Information\n                   Security Audits Division at (202) 254-5444.\n\n\n\n\n                Review of DHS Security Controls for Portable Storage Devices \n\n\n                                          Page 11 \n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n                Review of DHS Security Controls for Portable Storage Devices \n\n\n                                          Page 12 \n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n                Review of DHS Security Controls for Portable Storage Devices \n\n\n                                          Page 13 \n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n                Review of DHS Security Controls for Portable Storage Devices \n\n\n                                          Page 14 \n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n                Review of DHS Security Controls for Portable Storage Devices \n\n\n                                          Page 15 \n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n                Review of DHS Security Controls for Portable Storage Devices \n\n\n                                          Page 16 \n\n\x0cAppendix C\nMajor Contributors to this Report\n\n\n                    Information Security Audit Division\n\n                    Edward Coleman, Director\n                    Chiu-Tong Tsang, Audit Manager\n                    Mike Horton, Information Technology Officer\n                    Barbara Bartuska, Audit Manager\n                    Charles Twitty, Audit Team Leader\n                    Nazia Khan, IT Specialist\n                    Thomas Rohrback, IT Specialist\n\n                    Melissa Keaster, Referencer\n\n\n\n\n                 Review of DHS Security Controls for Portable Storage Devices\n\n                                           Page 17\n\x0cAppendix D\nReport Distribution\n\n\n                      Department of Homeland Security\n\n                      Secretary\n                      Deputy Secretary\n                      Chief of Staff\n                      Deputy Chief of Staff\n                      General Counsel\n                      Executive Secretary\n                      Assistant Secretary for Policy\n                      Assistant Secretary for Office of Public Affairs\n                      Assistant Secretary for Office of Legislative Affairs\n                      Chief Information Officer\n                      Deputy Chief Information Officer\n                      Chief Information Security Officer\n                      Director, Compliance and Oversight\n                      Director, GAO/OIG Liaison Office\n                      Chief Information Officer Audit Liaison\n                      Chief Information Security Officer Audit Manager\n\n                      Office of Management and Budget\n\n                      Chief, Homeland Security Branch\n                      DHS OIG Budget Examiner\n\n                      Congress\n\n                      Congressional Oversight and Appropriations Committees, as\n                      appropriate\n\n\n\n\n                 Review of DHS Security Controls for Portable Storage Devices \n\n\n                                           Page 18 \n\n\x0cAdditional Information and Copies\nTo obtain additional copies of this report, call the Office of Inspector General\n(OIG) at (202) 254-4199, fax your request to (202) 254-4305, or visit the OIG web\nsite at www.dhs.gov/oig.\n\n\nOIG Hotline\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of\ncriminal or noncriminal misconduct relative to department programs or\noperations:\n\n    \xe2\x80\xa2    Call our Hotline at 1-800-323-8603;\n    \xe2\x80\xa2    Fax the complaint directly to us at (202) 254-4292;\n    \xe2\x80\xa2    Email us at DHSOIGHOTLINE@dhs.gov; or\n    \xe2\x80\xa2\t   Write to us at:\n           DHS Office of Inspector General/MAIL STOP 2600, Attention:\n           Office of Investigations - Hotline, 245 Murray Drive, SW, Building 410,\n           Washington, DC 20528.\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'